Security

Reply
Contributor II
Posts: 48
Registered: ‎01-07-2013

PSK and ClearPass

Hi

 

A customer need a SSID to have WPA2-PSK as authentication method to be able to connect devices that do not support 802.1x och Captive Portal.

But they would like to be able to grand only specific devices access to this SSID by letting ClearPass verify if the device is approved or not.

 

Is it possible to combine WPA2-PSK authentication with an additional check sent to ClearPass? Maybe a auhtorization request?

 

Best Regards

Jonas Erlund Hammarbäck

 

 

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: PSK and ClearPass

You would need to find the AAA profile for the WPA2-PSK WLAN and add a mac authentication profile to it.  http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/MAC_Authentication/Configuring_MAC_Based_Au.htm

 

You would then setup mac-based authentication in ClearPass (I don't have a web link for that, but it should be in the help).



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 48
Registered: ‎01-07-2013

Re: PSK and ClearPass

Thank you!

We will test this approach.

 

 

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: PSK and ClearPass

Keep in mind as well that Clearpass offers a unique authentication source called "Allow All MACAUTH"  WIth this, we can leverage other context outside of maintaining a MAC address database for these users.

 

Essentially, Clearpass will allow any MAC address as valid for mac auth purposes.  Then, with policy, you can assign roles or deny access based on other variables such as:

 

MAC OUI (Connection:Client-MAC-Address BEGINS WITH <value>)

MAC Vendor (Connection:Client-MAC-Vendor CONTAINS <value>)

Profile Info (Authorization:[Endpoints Repository]:Category OR OS Family CONTAINS <value>)

Hostname (Authorization:[Endpoints Repository]:Hostname CONTAINS <value>)

 

Or even a Custom Attribute YOU add to the Endpoint DB record for the device

 

All in all, you can write a very secure/granular policy without having to maintain specific MAC addresses

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 48
Registered: ‎01-07-2013

Re: PSK and ClearPass

The method  "Allow All MACAUTH" combined with custom attributes in the Endpoints Repository will be the best solution for our porposes as I can see now.

 

Thanks for the tip!

Regards

Jonas Erlund Hammarbäck

MVP
Posts: 707
Registered: ‎12-01-2010

Re: PSK and ClearPass

I love when a "Search Airheads" hit gives me exactly what I need to solve today's (current) problem!

Thanks everyone!

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
Showing results for 
Search instead for 
Did you mean: